NIST 800-171 control 3.13.11 dictates that FIPS-validated cryptography is used when protecting the confidentiality of CUI. BitLocker is FIPS-validated, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2. When encrypting devices with BitLocker, please be sure to follow the steps below to ensure that the encryption used is within parameters of control 3.13.11.
Option 1: Local Security Policy
- Open Local Security Policy as administrator
- Navigate to Local Policies =>Security Options
- Set System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to be Enabled
- Then, encrypt the machine using BitLocker
Option 2: Domain Group Policy
- Open Group Policy Management
- Choose one of the following options:
- To use an existing GPO to configure the necessary setting, link the _Campus-NIST800-171-FIPS-Compliant-BitLocker GPO to the OU where the computers in question reside.
- Otherwise: Locate an existing GPO or create a new GPO, right click it, and then select Edit
- When the Group Policy Management Editor opens, navigate to Policies =>Windows Settings =>Security Settings =>Local Policies =>Security Options
- Locate System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and open it
- Ensure the policy is defined and set to Enabled, and then click OK.
- Ensure the GPO is applied to the machine to be encrypted with BitLocker.
- Finally, encrypt the machine with BitLocker.
Special Case: Windows 7 Machine
If the machine is a Windows 7 machine, another step will need to be completed. As recovery passwords aren’t FIPS 140-2 compliant, any recovery passwords will need to be removed. This issue was resolved in Windows 8 and above. To ensure the Windows 7 machine is compliant:
- Open CMD as an administrator
- Run the following command:
- manage-bde -protectors -get c:
- Be sure to replace “c:” with the letter of the encrypted drive.
- In the result, locate ID: under Numerical Password: and copy the value
- Example value: {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}
- manage-bde -protectors -get c:
- When you have the value, run the following command to delete the recovery password:
- manage-bde -protectors -delete c: -id {########-####-####-####-############}
- Again, be sure to replace the drive letter as necessary.
- manage-bde -protectors -delete c: -id {########-####-####-####-############}
Recovery Options
To ensure the drive is recoverable, a few options are:
- Save the recovery keys in Active Directory
- Use BitLocker Data Recovery Agent
- Using an elevated command prompt, run the following command to create a recovery key:
- manage-bde -protectors -add c: -rk e:
- “e” is the drive on which you would like to save the .bek file which will recover the device if necessary.
- manage-bde -protectors -add c: -rk e:
Additional Information
For more information, please navigate to this link: How to Make Your Existing BitLocker Encrypted Environment FIPS Compliant
